Imperva has issued a warning after finding a serious SQL injection flaw with Rockyou.com – a social networking application development web site.
“Rockyou.com is not just any software site. Since its creation in 2006, it’s become the hub for many social networking sites such as Bebo, Facebook and Myspace, to mention but a few,” said Amichai Shulman, chief technology officer with the data security specialist.
“The bad news is that the SQL injection flaw could have allowed hackers to access the 32 million entries of user names plus passwords in the Rockyou.com database – and since the user names and passwords are by default the same as the users webmail account—such as Hotmail, Yahoo or Gmail—this is a major lapse in security,” he added.
“The vast majority of subscribers to Rockyou.com are using the same credentials on the site as their regular Web email service,” explained Shulman.
“The users are young and security is not top of mind, but nonetheless companies need to keep them protected and ensure their details are safe.
“With the popularity of web 2.0 tools, companies may focus more on becoming successful quickly at the expense of security.”
An attacker can use these credentials to perform any of the following actions:
1. Extract private information from the inbox: credit card numbers, confidential business information, passwords to another application such as bank application embarrassing pictures etc.
2. Identity theft – The attacker can send mail to the victim’s entire contact list on behalf of the victim.
3. Harvest the contacts info for spam – if each account has 10 unique contacts then the spammer will have 300 million addresses to spam.
“While individual users are urged to show prudence when surfing the web and especially providing account credentials to applications, it is the responsibility of application owners to protect the information trusted to them by users” adds Shulman.
“Web development in general can be rushed in order to get a service to market quicker. However, by rushing the time to deploy, companies may tend to overlook security.”
“We have notified the site operators of this problem, who re-acted quickly and fixed the issue over the weekend. Unfortunately some accounts had already been compromised before the vulnerability was fixed.
“All users need to be cautious and ensure they change their email passwords as their credentials may have been put at risk.” he added.
Imperva recommendations for keeping safe online:
1. Have separate business and personal email accounts
2. Carefully choose applications you trust with your email address
3. Change passwords regularly
4. Ensure default passwords are changed so they are not the same as ones used for email accounts
1. Protect your applications against application level attacks using available technologies such as web application firewall.
2. Never store passwords in plain text.
3. Don’t ask for your user’s webmail’s password unless it’s absolutely necessary, and certainly don’t store it afterwards.